{% extends "./layout.html" %} {% block title %}A10-Unvalidated Redirects and Forwards{% endblock %} {% block content %}
<div class="row">
    <div class="col-lg-12">
        <div class="bs-example" style="margin-bottom: 40px;">
            <span class="label label-warning">Exploitability: AVERAGE</span>
            <span class="label label-warning">Prevalence: COMMON</span>
            <span class="label label-danger">Detectability: EASY</span>
            <span class="label label-warning">Technical Impact: MODERATE</span>
        </div>
    </div>
</div>
<div class="row">
    <div class="col-lg-12">
        <div class="panel panel-info">
            <div class="panel-heading">
                <h3 class="panel-title">Description</h3>
            </div>
            <div class="panel-body">Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.</div>
        </div>

        <div class="panel panel-info">
            <div class="panel-heading">
                <h3 class="panel-title">Attack Mechanics</h3>
            </div>
            <div class="panel-body">
                <p>An attacker can use unvalidated redirected links as a medium to redirect user to malicious contents and tricks victims into clicking it. Attacker can exploit it to bypass security checks and make it believe trustworthy.</p>

                <p>For example, the "Learning Resources" link (
                    <code>/learn?url=...</code>) in the application redirects to another website without validating the url.
                </p>
                <iframe width="560" height="315" src="//www.youtube.com/embed/z98AQF8J_zg?rel=0" frameborder="0" allowfullscreen></iframe>
                <p>Here is code from
                    <code>routes/index.js</code>,
                    <pre>
    // Handle redirect for learning resources link
    app.get("/learn", function (req, res, next) {
        return res.redirect(req.query.url);
    });
                    </pre> An attacker can change the
                    <code>url</code>query parameter to point to malicious website and share it. Victims are more likely to click on it, as the initial part of the link (before query parameters) points to a trusted site.
                </p>
            </div>
        </div>
        <div class="panel panel-info">
            <div class="panel-heading">
                <h3 class="panel-title">How Do I Prevent It?</h3>
            </div>
            <div class="panel-body">
                <p>Safe use of redirects and forwards can be done in a number of ways:</p>
                <ol>
                    <li>Simply avoid using redirects and forwards.</li>
                    <li>If used, don’t involve user parameters in calculating the destination. This can usually be done.</li>
                    <li>If destination parameters can’t be avoided, ensure that the supplied value is valid, and authorized for the user.
                        <br>It is recommended that any such destination parameters be a mapping value, rather than the actual URL or portion of the URL, and that server side code translate this mapping to the target URL.</li>
                </ol>
            </div>
        </div>
    </div>
</div>{% endblock %}